API key displayed on screen

I agree it should be a password field.

Or maybe hidden by default with a link/button to view when needed. This way you can prevent the support tickets for users who have trouble with copy/paste or typing out the API key.

Thanks for suggesting this guys, I’d also like to add my enthusiasm for this feature. I’m not using the API key functionality on ANY site yet because of this lack of security.

I have one Cloudflare account that services multiple clients and domains, thus one API key which could affect completely separate businesses. Too risky until this feature is added.

Any update on this? I’m in the same scenario as above its a big security flaw, if one clients site gets hacked it could allow API access to a whole bunch of others. myaffee your right not only hidden but encrypted in DB too.

I agree! The concerns caused by the API key in clear text on the settings page pale in comparison to the key STORED as plain text in the DB — far more attack vectors on the DB than on the clear text of a single options screen.

I understand there are issues surrounding encrypting data in the WP DB, (https://ww.wp.xz.cn/support/topic/encrypt-smtp-login-information/) but since the CloudFlare API key is only necessary when actively making changes to the CF account in question, many of the concerns outlined in the referenced article are moot. Specifically, the API key could be encrypted with a user-known passphrase and decrypted (either 1 time or for the session) by requesting the passphrase whenever an API call needs to be made. Additionally, if this were a session-long decryption, it’s reasonable that the decrypted API key could be stored in cookies. (Yes, less secure. But again, the attack surface of a user’s computer is MUCH smaller than the WP DB.)

• This reply was modified 9 years, 5 months ago by Lucas Balzer. Reason: Wanted to offer a solution. At first I just +1ed the feature request